China’s Cyberspace Administration of China (CAC) released a new FAQ regarding the management of cross-border data transfers. The clarification provides significant relief to enterprises navigating the complex regime of data export compliance under China’s Data Security Law and associated regulations. One of the most notable takeaways is the CAC’s confirmation that companies are not required to classify and report “important data” – a prerequisite for data export security assessments – unless their industry authority has either issued classification and identification rules or explicitly notified them to begin this process. Therefore, if such standards or notifications have not yet been issued, companies will not be considered non-compliant and should not be punished for not having taken the additional measures required for the export of “important” data. This removes a longstanding concern for businesses operating in industries where regulatory clarity is still pending.
